[cabfpub] [EXTERNAL]Re: Draft SMIME Working Group Charter

Wayne Thayer wthayer at mozilla.com
Tue Jan 29 14:53:58 MST 2019


My intention is not to prevent CAs from issuing S/MIME certificates
containing identity information. It's really what Ryan said and Rufus
reiterated.

There is a tremendous amount of work to do and the core of all of it is
cert profiles and email validation practices. I expect that it will take a
few years to get the core work published, and the complexity of identity
validation could easily extend that by a year or more. I am particularly
concerned (could just be my ignorance) about all the government-issued
identity certificates that are valid for S/MIME. Our identity validation
rules will need to support those use cases. Given how long S/MIME standards
have already waited behind governance reform, I prefer a narrower initial
scope that produces guidelines faster.

On Tue, Jan 29, 2019 at 2:18 PM Buschart, Rufus <rufus.buschart at siemens.com>
wrote:

> Hello!
>
>
>
> I would support the approach of Ryan (if I understood his approach
> correctly): Let’s start with the absolute minimal core and this is the
> validation of the email address and the definition of acceptable practices
> regarding key generation, key distribution and key escrow. I remember some
> discussions from last fall with Wayne about this issue when the new Mozilla
> Root Store Policies were drafted and it turned out that SMIME seems to be
> significantly different to TLS since the business needs are very much
> different. So there will be a lot to do with this issues.
>
>
>
> With best regards,
> Rufus Buschart
>
> Siemens AG
> Information Technology
> Human Resources
> PKI / Trustcenter
> GS IT HR 7 4
> Hugo-Junkers-Str. 9
> 90411 Nuernberg, Germany
> Tel.: +49 1522 2894134
> mailto:rufus.buschart at siemens.com <rufus.buschart at siemens.com>
> www.twitter.com/siemens
> www.siemens.com/ingenuityforlife <https://siemens.com/ingenuityforlife>
> [image: www.siemens.com/ingenuityforlife]
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
> Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief
> Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel,
> Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and
> Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300,
> Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
>
> *Von:* Public <public-bounces at cabforum.org> *Im Auftrag von *Bruce Morton
> via Public
> *Gesendet:* Dienstag, 29. Januar 2019 21:50
> *An:* Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Betreff:* Re: [cabfpub] [EXTERNAL]Re: Draft SMIME Working Group Charter
>
>
>
> Hi Wayne,
>
>
>
> Can you elaborate on why we should exclude identity validation from the
> initial scope?
>
>
>
> My thinking is that many CAs which are currently issuing S/MIME
> certificates are also including identity. I assume that most use similar
> methods that are defined in the BRs to validate identity. It would seem
> that it should be included in the scope to cover current practice.
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org
> <public-bounces at cabforum.org>] *On Behalf Of *Wayne Thayer via Public
> *Sent:* January 25, 2019 1:37 PM
> *To:* Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Draft SMIME Working Group Charter
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> ------------------------------
>
> I agree that we should exclude identity validation from the initial scope
> of this working group.
>
>
>
> On Fri, Jan 25, 2019 at 10:04 AM Ryan Sleevi via Public <
> public at cabforum.org> wrote:
>
>
>
> Finally, regarding membership criteria, I'm curious whether it's necessary
> to consider WebTrust for CAs / ETSI at all. For work like this, would it
> make sense to merely specify the requirements for a CA as one that is
> trusted for and actively issues S/MIME certificates that are accepted by a
> Certificate Consumer. This seems to be widely inclusive and can be iterated
> upon if/when improved criteria are developed, if appropriate.
>
>
>
> This would allow a CA that is not eligible for full Forum membership to
> join this WG as a full member. How would that work? Would we require such
> an organization to join the Forum as an Interested Party? If the idea is
> that such an organization wouldn't be required to join the Forum, then I
> don't believe that was anticipated or intended in the design of the current
> structure. It's not clear to me that we should permit membership in a CWG
> without Forum membership. For instance, allowing this may create loopholes
> in the IPR obligations that are defined and administered at the Forum level.
>
>
>
> There's also a bootstrapping issue for membership, in that until we know
> who the accepted Certificate Consumers are, no CA can join as a Certificate
> Issuer. I'm curious whether it makes sense to explicitly bootstrap this in
> the charter or how we'd like to tackle this.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20190129/eb93d750/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 3536 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20190129/eb93d750/attachment-0001.gif>


More information about the Public mailing list